Security Basics mailing list archives
RE: Traces
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 31 Dec 2003 12:18:42 -0800
Eh' kinda. The TTL is decremented when the packet travels over a router. If they don't set the TTL to a random number you know, "hey he's eight hops away", but that's it. In a confined corporate network that might work better, but on a network as dynamic as the internet, not all paths have the same TTL so it's almost worthless, IMHO. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Fernando Gont [mailto:fernando () gont com ar] Sent: Wednesday, December 31, 2003 12:17 PM To: Shawn Jackson; Gerson Sampaio; security-basics () securityfocus com Subject: RE: Traces At 14:46 16/12/2003 -0800, Shawn Jackson wrote:
Sorry, I can't think of any off hand. But I'll try and give
you
a little information, if it helps at all. Depending on the type of attack, how you will trace varies. In example, if you're suffering from a DDoS attack, the chances that the originating IP address are that of the initiator of the attack are slim to none. Additionally if it's a no-response attack, (Syn Flood, teardrop) the return path address in
the
IP header is most likely forged seaming they don't require return traffic.
For Syn-Flood and Teardrop, you can probably have an idea of where how many hops away the attacker is, by guessing the initital TTL, and looking at the TTL of the incoming SYN. Of course, this will be useless if the initial TTL was set to a random number. For some types of DDoS, such as the "reflection" attacks, if the reflecting hosts cooperate, you could use the same technique to have an idea of where the attacker is. In that case, you could do "triangulation" based on the TTL field of the packets that get to the reflectors, and thus find (or have an idea) of where the attacker is. Of course, if the attacker sets the TTL field to some "unusual" value, this "technique" will be useless. -- Fernando Gont e-mail: fernando () gont com ar || fgont () acm org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Traces Fernando Gont (Jan 02)
- <Possible follow-ups>
- Re: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- Re: Traces Jimi Thompson (Jan 05)
- Re: Traces Meritt James (Jan 05)
- Re: Traces Fernando Gont (Jan 06)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Fernando Gont (Jan 02)
- RE: Traces Shawn Jackson (Jan 02)
- RE: Traces Meidinger Chris (Jan 05)
- RE: Traces Fernando Gont (Jan 06)
- RE: Traces Shawn Jackson (Jan 05)
- Re: Traces Meritt James (Jan 05)